Preventing account takeovers through expired domains (was: Do we have any policy for disabling inactive users)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vitaly Zaitsev via devel wrote:
> We're talking about potentially hacked accounts, right?

In this subthread I'm talking about *preventing* account takeovers so
that they don't happen in the first place. One specific method of
takeover that the Fedora Project would be able to prevent.

I thought the quote I posted was perfectly clear. Evidently it wasn't.
Allow me to explain the scenario step by step:


Step 1: J. Doe joins the Fedora Project using a working email address,
j.doe@xxxxxxxxxxx. J. Doe gets sponsored and makes some packages. All
is well so far.

Step 2: Much later, the holder of example.net stops paying the renewal
fee. The registry removes the domain from DNS. j.doe@xxxxxxxxxxx ceases
to exist. J. Doe forgets to update the address in their Fedora account.
This has happened to 2818 NPM accounts according to the article I
quoted. It can happen to Fedora accounts too.

Possible step 3: A program on a Fedora Project server notes that
example.net has been deactivated. The program removes the address
j.doe@xxxxxxxxxxx from J. Doe's account, or disables sending to the
nonexistent address.

Question: Does step 3 happen? I suspect that this program doesn't exist.
I haven't seen any mentions of it.

Step 4: The quarantine period ends. The registry releases example.net
for registration.

Step 5: Malicious Mallory registers example.net, sets up a mail server
and configures the alias "j.doe". Suddenly j.doe@xxxxxxxxxxx exists
again, but now this address quite legitimately belongs to Mallory.

Step 6: Mallory enters J. Doe's username into 
https://accounts.fedoraproject.org/forgot-password/ask and clicks on
"Send".

Branch 6A: If step 3 was not done, then a passphrase reset email is sent
to j.doe@xxxxxxxxxxx and is received by Mallory. Mallory takes over J.
Doe's account and replaces any SSH and OpenPGP keys with his own.
Malicious Mallory is now a Fedora packager in the name of J. Doe, and
is empowered to insert malware into J. Doe's packages.

Branch 6B: If step 3 was done, then no passphrase reset email is sent.
Mallory's attack fails.

Step 7: J. Doe tries to log in.

Branch 7A: If step 3 was not done, then none of J. Doe's credentials
work anymore. Mallory has control of the account and J. Doe is locked
out.

Branch 7B: If step 3 was done, then the account still belongs to J. Doe.
The account system tells J. Doe to enter a new email address. The
system sends a verification code to this new address. This is not a
passphrase reset. It's an email address verification code, which J. Doe
must paste into the web interface while logged in, to prove that the
address belongs to the right person. After the new address is verified,
J. Doe's account works normally again.


Note that Mallory must do step 5 before step 6 for the attack to work,
and the registry won't allow step 5 to happen before step 4. Therefore
doing step 3 before step 4 ensures that step 6 cannot happen before
step 3. That way the Fedora Project could reliably prevent this kind of
attack.

I hope this explanation is clear enough to be understood. In case of
TL;DR, the short version is four posts upthread from here.

So, does step 3 exist?

Björn Persson

Attachment: pgpDU5mS0_xTG.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux